United States Patent and Trademark Office 



UNITED STATES DEPARTMENT OF COMMERCE 
I nilid Stall-, Patent and Trademark Office 

Address: COMMISSIONER FOR PATENTS 



APPLICATION NO. 



I0/05H.9M 



FILING DATE 



OI/2K/2002 



FIRST NAMED INVENTOR 



Edward B. Boden 



ATTORNEY DOCKET NO. CONFIRMATION NO. 



END920010095US1 



30206 7590 06/29/20 

IBM CORPORATION 
ROCHESTER IP LAW DEPT. 917 
3605 HIGHWAY 52 NORTH 
ROCHESTER, MN 55901-7829 



POLTORAK, PIOTR 



PAPER NUMBER 



DELIVERY MODE 



Please find below and/or attached an Office communication concerning this application or proceeding. 

The time period for reply, if any, is set in the attached communication. 



PTOL-90A (Rev. 04/07) 



l/ffflrC? nVrliUli Otfff Iff ids y 


Application No. 

10/058,954 


Applicant(s) 

BODEN, EDWARD B. 


Examiner 

PETER POLTORAK 


Art Unit 

2434 





- The MAILING DATE of this communication appears on the cover sheet with the correspondence address — 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )KI Responsive to communication(s) filed on 1 1 May 2009 . 
2a )^ This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-31 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) |EI Claim(s) Ui± is/are rejected. 

7) 0 Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) Q The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

20 Certified copies of the priority documents have been received in Application No. . 

3.Q Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 



Attach ment(s) 

1) D Notice of References Cited (PTO-892) 4) □ Interview Summary (PTO-41 3) 

2) □ Notice of Draftsperson's Patent Drawing Review (PTO-948) Paper No(s)/Mail Date. . 

3) □ Information Disclosure Statement(s) (PTO/SB/08) 5 ) □ Notice of Informal Patent Application 

Paper No(s)/Mail Date . 6) □ Other: . 



PTOL-T26 d (Rev e 08-06r 



Office Action Summary 



Part of Paper No./Mail Date 20090622 



Application/Control Number: 10/058,954 Page 2 

Art Unit: 2434 

DETAILED ACTION 

1 . Applicant's communication received on 9/1 1/08 has been entered. 



Response to Arguments 

2. Applicant argues that "the problem identified in the present invention is that 
companies have a security policy that requires all traffic between nodes to be 
protected in a connection using IP sec security associations. Accordingly it is 
impossible for IKE traffic to be protected in a connection it has yet to establish" and 
neither Jason, Zhou or Pfleeger does not identify this problem. 

Applicant arguments are carefully considered but the examiner respectfully points 
out that the question whether Jason in view of Zhou and Pfleeger invention 
addresses the problem that applicant's invention attempts to solve is irrelevant, 
especially since Jason in view of Zhou and Pfleeger (and Noehring) meets all 
limitations required by the claim language. 

3. As per Jason in view of Zhou and Pfleeger rejection, applicant argues that the 
references don't teach that "an IKE traffic enablement system for automatically 
allowing IKE traffic from outside the VPN to flow into the VPN if the IKE traffic permit 
filters are not detected. To support the allegation applicant suggests that 
"[Pfleeger's] 'Screeing routers look only to the headers of packets, not at the data 
inside the packets. Therefore, a screening router would pass anything to port 25, 
assuming its screening rules said to allow inbound connection to that port. ' Hence, 
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Pleeger teaches against allowing IKE traffic from outside the VPN to flow into the 

VPN if the IKE traffic permit filters are not detected. " 

Applicant's arguments have been carefully considered but were not found 

persuasive. 

First, the examiner points out that the argued limitation "an IKE traffic enablement 
system for automatically allowing IKE traffic from outside the VPN to flow into the 
VPN if the IKE traffic permit filters are not detected " is an intended use limitation, 
and it is noted that a claim containing a "recitation with respect to the manner in 
which a claimed apparatus (i.e. enablement system) is intended to be employed 
does not differentiate the claimed apparatus from a prior art apparatus" if the prior 
art apparatus teaches all the structural limitations of the claim. Ex parte Masham, 2 
USPQ2d 1647 (Bd. Pat. App. & Inter. 1987). 

Secondly, as clearly disclosed on pg. 429-431, Pfleeger clearly suggests employing 
filters selectively, i.e. by origination and/or destination traffic points, ports, etc. 
Furthermore, an ordinary artisan would readily recognize that in order to allow IKE 
traffic (either from 202 to 206 or from 206 to 202) as shown in Jason in view of 
Zhou's invention, Pfleeger's firewall applied on the first node should not block the 
IKE traffic or, putting it plainly, the firewall filters should not be implemented on the 
IKE traffic outside the VPN flowing into the VPN, and clearly not implemented IKE 
filters would not be detected. 



4. Claims 1-31 have been examined. 
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The text of those sections of Title 35, U.S. Code not included in this action can be 
found in a prior Office Action. 



Claim Rejections - 35 USC § 103 

5. Claims 1-4, 7-8 and 9-11, 13-27 and 30-31 remain rejected under 35 U.S.C. 103(a) 
as being unpatentable over Jason (USPN 6636520) in view Zhou (J. Zhou, "Further 
analysis of the Internet key exchange protocol", Computer Communications, Volume 
23, Issue 17, 11/1/2000) and further in view of Pfleeger (Charles P. Pfleeger, 
"Security in computing", 2nd edition, 1996, ISBN: 0133374866). 

As per claim 1 , Jason (USPN 6636520) discloses a virtual private network (VPN1 
also referred to as T1 ) that enables a second VPN traffic (VPN2/T2, see Jason, Fig. 
2 and associated text). 

6. Jason does not disclose that the T2 uses IKE protocols. 

Zhou discloses the use of IKE protocols (e.g. Zhou, "1 . Introduction" and "2. IKE 
protocol"). It would have been obvious to an ordinary artisan to configure T2 
disclosed by Jason to use IKE protocols given the benefit of security. 
T2 using IKE protocols equate to IKE traffic. 

7. Jason discloses that T1 is established prior to T2; thus, IKE traffic from outside the 
VPN flows into the VPN. Establishing T1 prior to T2 evidences that VPN connection 
precedes an IKE traffic management through VPN. 
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8. Jason in view of Zhu discloses a first node within the VPN (e.g. 204 or 206) but is 
silent in regard to the node using a filter detection system for searching for IKE traffic 
permit filters. 

Pfleeger discloses a filter detection system for searching IKE traffic permit filters 
(firewalls such as screening routers or proxy gateways, Pfleeger pg. 429-431). 
It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to employ a filter detection system for searching IKE traffic permit filters on 
a first node as taught by Pfleeger given the benefit of enable only authorized traffic. 

9. IKE traffic is freely allowed (either from 202 to 206 or from 206 to 202) in Jason in 
view of Zhou's invention. In other words, IKE traffic permit filters are not detected 
and IKE traffic is allowed to automatically through the VPN, which would equate to 
"automatically allowing IKE traffic from outside the VPN to flow into the VPN if the 
IKE traffic permit filters are not detected". 

1 0. Finally, it is noted that a first node (e.g. 204 or 206) is an endpoint in a VPN 
connection (see Fig. 2) and as such, the examiner equate the mechanism 
implementing VPN capabilities on the first node to a gateway. 

1 1 .As per claim 3, node 206 equates to a second/remote node. (Note that for the 
purpose of claim 3, nodes 208 and/or 210 also read on a second node.) 

12. As per claim 4, IKE traffic as discussed by Jason in view of Zhu's invention, used to 
establishes tunnel T2, thus establishes security associations for a VPN connection 
between the first node and the second node. 
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13. As per claim 7, a traffic management system implementing IKE traffic must have 
entries that identify the connection between nodes, IP address of connected nodes 
and security associations for the VPN connections; otherwise communicate traffic 
between these nodes would not be possible. Even if, somehow, implementing the 
traffic without these entries, using entries that identify the connection between nodes 
(e.g. a port) IP address of connected nodes and security associations is old and well 
known in the art of computer networking (e.g. Proxys, VPNs etc.), and including 
them would have been an obvious variation given the benefit of correct data 
communication. Also, given the fact that it is old and well known in the art that 
tables are used to store information (e.g. ACL, DNS entries etc.) it would have been 
obvious to one of ordinary skill in the art at the time of applicant's invention to 
employ tables to store the IKE traffic entries for motivation of a quick access to the 
information. Additionally, as per claim 8, tunnel T1 and T2 equate to a nested VPN 
connections. 

1 4. Claims 9-11,1 3-27 and 30-31 are substantially equivalent to claims 2-8; therefore 
claims 9-11, 13-27 and 30-31 are similarly rejected. 

15. Claims 5-6, 12 and 28-29 remain rejected under 35 U.S.C. 103(a) as being 
unpatentable over Jason (USPN 6636520) in view Zhou (J. Zhou, "Further analysis 
of the Internet key exchange protocol", Computer Communications, Volume 23, 
Issue 17, 1 1/1/2000) and Pfleeger (Charles P. Pfleeger, "Security in computing", 2nd 
edition, 1996, ISBN: 0133374866), and further in view Noehring (USPUB 
2002/0188871). 
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16. Jason in view of Zhou and Pfleeger teach the first and the second node and the IKE 
traffic enablement system for automatically allowing IKE traffic from outside the VPN 
to flow into the VPN as discussed above. 

17. Jason in view of Zhou and Pfleeger do not teach the IKE traffic enablement system 
allowing refreshing IKE traffic (used to refresh security association) to flow between 
the first node and the second node. 

18. Noehring discloses an IKE traffic enablement system allowing refreshing IKE traffic 
(used to refresh security association) to flow between the first node and the second 
node (Noehrin, col. 15, claims 7-8, for example). It would have been obvious to one 
of ordinary skill in the art at the time of applicant's invention to enable the IKE traffic 
enablement system to refreshing IKE traffic (used to refresh security association) to 
flow between the first node and the second node as taught by Noehring given the 
benefit of maintained connection after the expiration of the security associations. 
Note that IKE is used to establish a tunnel (VPN connection) between the first and 
the second node. 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
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shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Peter Poltorak whose telephone number is (571) 272- 
3840. The examiner can normally be reached Monday through Thursday from 9:00 
a.m. to 4:00 p.m. and alternate Fridays from 9:00 a.m. to 3:30 p.m. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571 ) 272-381 1 . The fax phone number 
for the organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



/Peter Poltorak/ 
Examiner, Art Unit 2434 
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